[11537] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Jon Lewis)
Thu Jul 31 23:54:14 1997
Date: Thu, 31 Jul 1997 23:47:24 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: "Thomas H. Ptacek" <tqbf@enteract.com>
cc: nanog@merit.edu
In-Reply-To: <199707302338.SAA24573@enteract.com>
On Wed, 30 Jul 1997, Thomas H. Ptacek wrote:
> I suppose the operations context to this is, "hey, you realize DNS is
> COMPLETELY BROKEN? What are your plans for dealing with the possibility
> of someone posting exploits?" Do we simply stop using DNS?
The same could be said of IP. If you forge packets and ICMP or UDP attack
someone, as long as your packets cross a busy enough NAP (say one of the
MAE's) you can do it with impunity and effectively knock entire ISP's off
the internet.
"And how do I configure my router for that?" Use access-lists to prevent
your networks from accepting spoofed packets from your customers, or
insist that they use such filters on their routers.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
________Finger jlewis@inorganic5.fdt.net for PGP public key_______
